ssl_trusted_certificate usage with parallel ECDSA / RSA certificates ?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

ssl_trusted_certificate usage with parallel ECDSA / RSA certificates ?

lists
I've created 2 LetsEncrypt SSL certs -- an EC & and RSA.

Following

        Support for parallel ECDSA / RSA certificates
          https://trac.nginx.org/nginx/ticket/814

I config

    ssl_certificate           "/etc/letsencrypt/live/example.com/fullchain.ec.pem";
    ssl_certificate_key       "/etc/ssl/keys/privkey_ec.pem";
    ssl_certificate           "/etc/letsencrypt/live/example.com/fullchain.rsa.pem";
    ssl_certificate_key       "/etc/ssl/keys/privkey_rsa.pem";

Although the trusted cert's not mentioned in ticket/814, the 'chain.pem' is what's used in nginx

    ssl_trusted_certificate   "/etc/letsencrypt/live/example.com/chain.ec.pem";
    ssl_trusted_certificate   "/etc/letsencrypt/live/example.com/chain.rsa.pem";

But this config fails nginx config check

        nginx: [emerg] "ssl_trusted_certificate" directive is duplicate in /etc/nginx/sites-enabled/example.com.conf:50
        nginx: configuration file /etc/nginx/nginx.conf test failed

Commenting out one of the 2 ssl_trusted_cert stanzas

    ssl_trusted_certificate   "/etc/letsencrypt/live/example.com/chain.ec.pem";
#    ssl_trusted_certificate   "/etc/letsencrypt/live/example.com/chain.rsa.pem";

and rerunning the check, it passes.

In 'parallel' SSL mode, what's the correct usage for 'ssl_trusted_certificate'?

Do I use one (ec), the other (rsa), or do you have to concatenate BOTH into one crt?

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: ssl_trusted_certificate usage with parallel ECDSA / RSA certificates ?

Sergey Kandaurov

> On 11 Aug 2016, at 16:03, [hidden email] wrote:
>
> I've created 2 LetsEncrypt SSL certs -- an EC & and RSA.
>
> Following
>
> Support for parallel ECDSA / RSA certificates
>  https://trac.nginx.org/nginx/ticket/814
>

ssl_trusted_certificate is orthogonal to multiple certificates support.

[..]

> nginx: [emerg] "ssl_trusted_certificate" directive is duplicate in /etc/nginx/sites-enabled/example.com.conf:50
> nginx: configuration file /etc/nginx/nginx.conf test failed
>
> Commenting out one of the 2 ssl_trusted_cert stanzas
>
>    ssl_trusted_certificate   "/etc/letsencrypt/live/example.com/chain.ec.pem";
> #    ssl_trusted_certificate   "/etc/letsencrypt/live/example.com/chain.rsa.pem";
>
> and rerunning the check, it passes.
>
> In ‘parallel’ SSL mode, what’s the correct usage for ‘ssl_trusted_certificate'?
>

The directive specifies a file with trusted CA certificates.

See for details:
http://nginx.org/r/ssl_trusted_certificate.

--
Sergey Kandaurov

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx